OpenVPN + quagga OSPF Need some help

d83

Hello,

I have tried to follow the PfSense book "OpenVPN Site-to-Site with Multi-WAN and OSPF". Through packet capture I can see the "Hello" coming in,  it looks like this

Packet capture interface set to "main"

Main VPN

14:35:29.551867 IP 192.168.88.2 > 224.0.0.5: OSPFv2, Hello, length 48
14:35:34.446163 IP 192.168.88.1 > 224.0.0.5: OSPFv2, Hello, length 48

Packet capture interface set to "At&t"

At&t VPN

14:36:54.374149 IP 192.168.44.1 > 224.0.0.5: OSPFv2, Hello, length 48
14:37:00.399990 IP 192.168.44.2 > 224.0.0.5: OSPFv2, Hello, length 48

My question is why can I not get a neighborhood to establish? When I go to Services / Quagga OSPF / Status there is nothing in Quagga OSPF General, Quagga OSPF Neighbors, Quagga OSPF Database, Quagga OSPF Router Database, Quagga OSPF Routes, Quagga Zebra Routes, Quagga OSPF Interfaces, Quagga OSPF CPU Usage, and Quagga OSPF CPU Usage.

Quagga ospfd.conf for Office A is

This file was created by the pfSense package manager.  Do not edit!

password 1234
interface ovpns1
  ip ospf cost 10
  ip ospf hello-interval 10
  ip ospf retransmit-interval 6
  ip ospf dead-interval 40
interface ovpns3
  ip ospf cost 20
  ip ospf hello-interval 11
  ip ospf retransmit-interval 7
  ip ospf dead-interval 41
interface igb0

router ospf
  ospf router-id 192.168.1.1
  passive-interface igb0
  network 192.168.88.0/30 area 0.0.0.0
  network 192.168.44.0/30 area 0.0.0.0
  network 192.168.1.0/24 area 0.0.0.0

Quagga zebra.conf

This file was created by the pfSense package manager.  Do not edit!

password 1234

ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
ip prefix-list ACCEPTFILTER deny 192.168.1.0/24
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTER

Quagga ospfd.conf for Office B is

This file was created by the pfSense package manager.  Do not edit!

password 1234
interface ovpnc1
  ip ospf cost 10
  ip ospf hello-interval 10
  ip ospf retransmit-interval 6
  ip ospf dead-interval 40
interface ovpnc3
  ip ospf cost 20
  ip ospf hello-interval 11
  ip ospf retransmit-interval 7
  ip ospf dead-interval 41
interface igb0

router ospf
  ospf router-id 192.168.10.1
  passive-interface igb0
  network 192.168.88.0/30 area 0.0.0.0
  network 192.168.44.0/30 area 0.0.0.0
  network 192.168.10.0/24 area 0.0.0.0

Quagga zebra.conf

This file was created by the pfSense package manager.  Do not edit!

password 1234
ip prefix-list ACCEPTFILTER deny 192.168.88.0/30
ip prefix-list ACCEPTFILTER deny 192.168.44.0/30
ip prefix-list ACCEPTFILTER deny 192.168.10.0/24
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTER

Can anyone see what I could be doing wrong?

Soyokaze

What do you mean by " there is nothing in Quagga OSPF General "? If there is literally nothing - when your Q/Z is not running at all.
If there is "something" (eg diagnostic info) but OSPF cant establish link…
1st: enable both logging options (will be in system logs - routing)
2nd: don't mangle with hello/retransmit/dead, leave them at defaults. If you REALLY want to play with them - do this AFTER you will get OSPF working
3rd: remove ACCEPT filters, you don't need them, at least now.
4th: start with 1 openvpn interface, after you will make it run - add second. This will be much simpler for you to configure and diagnose. Maybe you just mismatching your VPN links and attempting to configure mismatching hello/dead intervals, which is a NO-NO.

Soyokaze

OR you messed up something while tinkering and zebra with opsf now running with other password, or they just are dead.
If you can - rebuild ospf configuration from scratch, with package remove/reinstall.

Soyokaze

Config looks fine for me.

Soyokaze

Well, it found  a neighbor, so it works.
BUT if you still unable to get diag info - you better rebuild it, to be able to see what's going on.
You got same problem on second router?

Soyokaze

I have ospfd/zebra running on pfs from ~2.1.3 to 2.3.1, all show diag without problems.

Jun 21 16:22:00  ospfd  1267  nsm_change_state(192.168.1.1, Loading -> Full): scheduling new router-LSA origination
Jun 21 16:22:01  ospfd  1267  SPF Processing Time(usecs): External Routes: 6
Jun 21 16:22:14  ospfd  1267  nsm_change_state(192.168.1.1, Full -> Init): scheduling new router-LSA origination
Jun 21 16:22:14  ospfd  1267  SPF: Scheduled in 0 msec
Jun 21 16:22:15  ospfd  1267  SPF Processing Time(usecs): External Routes: 10
Jun 21 16:22:23  ospfd  1267  Packet[DD]: Neighbor 192.168.1.1: Initial DBD from Slave, ignoring.
Jun 21 16:22:23  ospfd  1267  Packet[DD]: Neighbor 192.168.1.1 Negotiation done (Master).
Jun 21 16:22:23  ospfd  1267  nsm_change_state(192.168.1.1, Exchange -> Full): scheduling new router-LSA origination

Yep, it works. If you defined local/remote networks in OpenVPN configuration - you can remove them now and have routes pushed from ospfd.

But still - without status info available you are swimming blindfolded. You can still get this info from shell but wouldn't call that comfortable.

Soyokaze

Oddly, all my settings where still remembered

They are stored in config.xml of pfSense.

Do you see status info after rebuild? If yes, in "Quagga OSPF Neighbors" you should see Router ID of other router.
And most important for you is "Quagga Zebra Routes", there should be routes (prepended by O>) to your LAN on other router.
OpenVPN links are directly connected, so their networks would show up anyway.

Soyokaze

…
Rebuild both pfSenses from scratch?
Or learn how to get info from shell.

Soyokaze

Not quite.
Tunnel network is necessary for tunnel to function, so you should not remove it.
But remote and local networks could be removed (and better be, because they will override OSPF routing).
Key point to understand - after both of your OSPF routers paired - they should have information WHICH networks to announce.
In your case you provided this info through config:
interface igb0
network 192.168.1.0/24 area 0.0.0.0

Soyokaze

1. Show your Zebra routes and system routing table
2. Check firewall rules on OpenVPN tab - better have ANY to ANY until you got it working.
3. If you have 2 openvpn connections between 2 routers - you will have troubles. Adjust cost for tunnels, so then they are both live - one would be preffered.

Soyokaze

Please, draw a network scheme (with interface names and ip/subnets).

Soyokaze

Well, it is clear now.
You write:

The other night I was able to disconnect the main WAN (Charter) in the main office and was able to ping over to the remote office.
However, I was not able to ping from the remote office back to the main office.

But if you look at routing table at branch, you will see

K>* 192.168.1.0/24 via 192.168.88.1, ovpnc1

So remote office still thinks what it should send packets to main office through OpenVPN tunnel which terminates at Charter.
Also, K> says what this route did not came from OSPF (though O  192.168.1.0/24 [110/20] via 192.168.88.1, ovpnc1, 14:29:15 tells OSPF thinks same).

If you haven't statically assign route in 192.168.88.0 tunnel, than you can try to enable "Don't pull routes" on VPN configuration.

I have exactly same situation sometimes, but I didn't found the perfect solution, nor cause. Default configuration for OpenVPN contains ping-restart directive, which should reset OpenVPN tunnel in case of lost connection (and drop assigned routes in process), but this doesn't happen.

Can you create a thread in VPN board, citing your last two posts and this one? Maybe someone could help both us…

d83

Can anyone suggest where I get help with this problem? I really need this to get fixed.  Different forum?